# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. netgear_security = { plugin_version = "1.0" # 2006-08-03 - 1.0beta - KBB - initial creation from netgear_security - added support for format variant # 2007-09-13 - 1.0 - KBB - renumbered per new beta policy & changed name from beta_netgear_security.cfg # The name of the log format log.format.format_label = "Netgear Security Log Format" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "network_device" # The log is in this format if any of the first ten lines match this regular expression #log.format.autodetect_regular_expression = "^[A-Z][a-z]+, [0-9][0-9]/[0-9][0-9]/[0-9][0-9][0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] - [^-]* - Source:.* - Destination:" log.format.autodetect_regular_expression = "^\\[*[A-Z][a-z]+, [0-9]+[-/][0-9]+[-/][0-9]+ [0-9][0-9]:[0-9][0-9]:[0-9][0-9]\\]* - [^-]* - Source:.* - Destination:" log.format.parse_only_with_filters = "false" # two variations now - can't use this any more # This regular expression parses the fields from the log data #log.format.parsing_regular_expression = "^[A-Z][a-z]+, ([0-9][0-9]/[0-9][0-9]/[0-9][0-9][0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) - ([^-]*) - Source:([0-9.]+), ([0-9]+), ([^ ]+) - Destination:([0-9.]+), ([0-9]+), ([^ ]+) - '([^']+)'$" # A log entry is a packet statistics.miscellaneous.entry_name = "packets" statistics.miscellaneous.visitor_name = "unique source IP" log.format.date_format = "auto" log.format.time_format = "auto" # Log fields log.fields = { date = "" time = "" operation = "" source_ip.type = "host" source_port = "" source_network = "" destination_ip = "" destination_port = "" destination_network = "" rule = "" } # log.fields # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" #device_name = "" #device_ip = "" operation = "" source_ip = "" source_port = "" source_network = "" destination_ip = "" destination_port = "" destination_network = "" rule = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'packets = 1;' } # mark_entry } # log.filters database.numerical_fields = { packets = { label = "$lang_stats.field_labels.packets" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # packets visitors = { label = "$lang_stats.field_labels.visitors" default = false requires_log_field = true log_field = "source_ip" type = "unique" display_format_type = "integer" } # visitors } # database.numerical_fields # Log Parsing Filters log.parsing_filters.parse = ` #Tues, 01/20/2004 18:35:36 - TCP connection dropped - Source:91.249.99.99, 2844, WAN - Destination:24.123.253.170, 445, LAN - 'SMB' if (matches_regular_expression(current_log_line(), "^[A-Z][a-z]+, ([0-9]+[-/][0-9]+[-/][0-9]+) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) - ([^-]*) - Source:([0-9.]+), ([0-9]+), ([^ ]+) - Destination:([0-9.]+), ([0-9]+), ([^ ]+) - '([^']+)'$")) then ( date = $1; time = $2; operation = $3; source_ip = $4; source_port = $5; source_network = $6; destination_ip = $7; destination_port = $8; destination_network = $9; rule = $10; ); #[Thu, 2006-07-13 09:59:15] - Access site - Source:192.199.9.199,LAN - Destination:kona4.kontera.com,WAN - [Forward] else if (matches_regular_expression(current_log_line(), "^\\[[A-Z][a-z]+, ([0-9]+[-/][0-9]+[-/][0-9]+) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9])\\] - ([A-Za-z ]*) - Source:([0-9.]+),([A-Z]+) - Destination:([^,]+),([A-Z]+) - \\[([A-Za-z]+)\\]")) then ( date = $1; time = $2; operation = $3; source_ip = $4; source_network = $5; destination_ip = $6; destination_network = $7; rule = $8; ); ` create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" #device_name = true #device_ip = true operation = true source_ip = true source_port = true source_network = true destination_ip = true destination_port = true destination_network = true rule = true } # report_groups } # create_profile_wizard_options } # netgear_security